US government cybersecurity apparently doesn’t include email security.

High-profile declarations and executive orders from both former US President Barack Obama and his successor, President Donald Trump, list cybersecurity is a “top priority”. But that hasn’t yet been applied to one of the biggest, most vulnerable attack surfaces in any organization.

A recent open letter from Sen. Ron Wyden (D-Ore.) to the Department of Homeland Security (DHS) notes that most federal departments aren’t using an email security protocol that has been around for the past five years.

Wyden, in a July 18 letter, asked the agency to “take immediate steps” to mandate that all federal agencies implement DMARC (Domain-based Message Authentication, Reporting and Conformance), an email authentication, policy, and reporting protocol launched in 2012 that helps prevent email domain spoofing.

This wasn’t his first request. In an earlier letter this past April to the commissioner of the Internal Revenue Service (IRS), Wyden complained that the agency had only partially enabled DMARC – to protect itself, but not taxpayers.

The IRS, he wrote had configured DMARC, “in a less restrictive mode. As a result, the IRS receives automatic alerts when the organization is impersonated by fraudsters, but unsuspecting taxpayers are not warned or automatically protected.”

Sophos Home

According to Wyden, the only federal agencies so far that have enabled it are the National Institute for Standards and Technology (NIST), the Federal Trade Commission (FTC), Federal Deposit Insurance Corporation (FDIC) and Social Security Administration (SSA).

Industry standard technologies exist, and are already used throughout the private sector and even by a few federal agencies, which, if enabled, would make it significantly harder for fraudsters and foreign governments to impersonate federal agencies.”

Wyden went on to add that it would, “prevent fraudsters from being able to send emails that purport to come from .gov domains”.

“Prevent” might be promising too much. While the launch of DMARC had the backing of internet giants like Google, Microsoft, PayPal, Facebook, LinkedIn and Comcast, and generated breathless headlines about the elimination of phishing emails, that obviously has not happened – something Naked Security’s Paul Ducklin predicted at the time.

But, if used as instructed, which requires it to be built on a foundation of “the basics” – email security tools DomainKeys Identified Mail (DKIM) and the Sender Policy Framework (SPF) – DMARC does indeed making spoofing emails “significantly harder”.

For the first time, organisations using DKIM and SPF could add a policy to their DNS records that told others how to treat email failing their security criteria. Importantly, it provided a feedback mechanism for recipients to tell senders what was being received in their name, essential for domain owners that wanted to gain intelligence on email spoofing.

And while the phishing industry is endlessly adaptable – Dunn also wrote that “phishing criminals have evolved to exploit a broader set of weaknesses in email, especially mobile clients” – the evidence strongly suggests that DMARC would keep government email systems out of the “low-hanging fruit” category.

Wyden’s letter noted that since last year, when the UK required all government agencies to enable DMARC, the nation’s tax agency said, “it reduced the number of phishing emails purporting to come from that agency by a staggering 300 million messages in one year.”

And Brett McDowell, executive director of the FIDO Alliance and founding chairman of DMARC, said while the threat of phishing remains, when DMARC is implemented by both the sender and receiver, “it is 100% effective in shutting down the most dangerous vector” – the spoofing of domains.

“Finally, in the history of email, it’s a way to look at the address to see if it’s a legitimate domain – is it coming from [a company like] PayPal or not. It’s a huge enabler,” he said, adding that when properly implemented it is friction-free: “The user never sees it – never has to deal with it. Every domain you protect, you can block them all.”

He said the full implementation of DMARC by the Internal Revenue Service could prevent millions of bogus emails purporting to come from the agency around tax time.

In a 2013 tweet following news stories about it, he said, “Part of the reason bogus IRS e-mail continues […] is because the agency has not yet adopted […] DMARC.”

Wyden is not the first to urge adoption of DMARC. NIST did so last September, in its Special Publication 800-177 titled “Trustworthy Email”

All of which raises the obvious question: why hasn’t this been in place across government agencies at all levels – not just federal – for several years?

Wyden’s office did not respond to requests for comment. But McDowell said while he has been shocked that the federal government hadn’t adopted DMARC years ago, and remains, “surprised that it took an elected official” to prod departments like DHS to mandate it, he is glad the matter is getting some attention.

“Hey, whatever it takes,” he said. “If things get more secure as a result, that’s what matters.”

I am a firm believer that every company in the world should be using SPF, DKIM and DMARC (in its most restrictive mode). The challenge is that if a company simply turns all this stuff on, it can break a lot of things. Why? Typically vendor relationships. Turning all these features on takes planning. Having said that, these technologies are several years old and should have been implemented by most companies by now.

The other issue is some vendors still have not updated their capabilities to allow their clients to use all these tools.

At the end of the day, these old school capabilites need to be talked about and campanies need to start implementing them. It is sad how many emails I get every day from companies that are not turning these capailites on.